CVE-2025-2842
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description
A flaw was found in the Tempo Operator. When the Jaeger UI Monitor Tab functionality is enabled in a Tempo instance managed by the Tempo Operator, the Operator creates a ClusterRoleBinding for the Service Account of the Tempo instance to grant the cluster-monitoring-view ClusterRole. This can be exploited if a user has 'create' permissions on TempoStack and 'get' permissions on Secret in a namespace (for example, a user has ClusterAdmin permissions for a specific namespace), as the user can read the token of the Tempo service account and therefore has access to see all cluster metrics.
Analysis
Tempo Operator incorrectly grants cluster-monitoring-view ClusterRole permissions to Tempo service accounts when Jaeger UI Monitor Tab is enabled, allowing authenticated users with TempoStack creation and Secret read permissions in a namespace to extract the service account token and gain unauthorized access to all cluster metrics. The vulnerability affects Grafana Tempo Operator and carries a CVSS score of 4.3 with low EPSS exploitation probability (0.21%, 44th percentile), indicating limited real-world attack likelihood despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical Context
The Tempo Operator is a Kubernetes operator that manages Tempo instances and automates their deployment within Kubernetes clusters. The vulnerability stems from improper Kubernetes RBAC (Role-Based Access Control) configuration management, specifically in how the Operator binds ClusterRoles to service accounts. When the Jaeger UI Monitor Tab feature is enabled, the Operator creates a ClusterRoleBinding that assigns the cluster-monitoring-view ClusterRole to the Tempo instance's service account. This design flaw violates the principle of least privilege. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), which encompasses improper access control to sensitive data. The attack vector is network-based with low complexity, but requires authenticated user privileges (PR:L per CVSS vector), meaning an attacker must already have 'create' permissions on TempoStack resources and 'get' permissions on Secrets within a specific namespace-typically granted to cluster administrators or namespace-scoped power users.
Affected Products
Grafana Tempo Operator versions prior to the patched release are affected. The vulnerability has been tracked in Red Hat's security advisories RHSA-2025:3607 and RHSA-2025:3740, and is confirmed in the upstream Grafana Tempo Operator repository. The fix has been proposed in GitHub pull request grafana/tempo-operator#1144. Customers using Tempo Operator with Jaeger UI Monitor Tab functionality enabled should consult the Red Hat errata and GitHub PR for specific version guidance. The exact patched version number is not independently specified in the provided references, so users should refer to the Grafana Tempo Operator release notes and the referenced Red Hat advisories for version-specific remediation guidance.
Remediation
Upgrade Grafana Tempo Operator to the patched version referenced in GitHub PR grafana/tempo-operator#1144 and Red Hat advisories RHSA-2025:3607 and RHSA-2025:3740. Until patching is completed, administrators should immediately review and restrict 'create' permissions on TempoStack resources and 'get' permissions on Secrets containing service account tokens within Kubernetes namespaces. Disable the Jaeger UI Monitor Tab functionality in Tempo instances if cluster-monitoring-view access is not strictly required. Implement Kubernetes network policies to restrict the Tempo service account's ability to access the Prometheus or metrics API endpoint, enforcing additional layers of segmentation. Audit and log all requests to the metrics API from Tempo service accounts to detect any unauthorized access attempts.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today